/**
* Test saveSQL()
* @todo Figure out problem w/ mysql_real_escape_string()
* @todo Figure out how to test with magic quotes either on or off
*/
public function testSafeSQL()
{
$rs = mysql_connect();
if ($rs == false) {
PHPUnit2_Framework_Assert::fail("InputFilterTest:" . " unable to open a connction to MySQL");
}
// Trivial case, nothing to clean
$this->assertEquals(InputFilter::safeSQL('foo', $rs), 'foo');
$this->assertEquals(InputFilter::safeSQL(array('foo', 'bar'), $rs), array('foo', 'bar'));
if (get_magic_quotes_gpc()) {
// verify stripping of magic quotes
// FIXME: figure out how to test this case
$this->assertEquals(InputFilter::safeSQL('a\\\'b\\"c\\\\d\\\\x00e\\\\nf\\\\rg\\\\x1a', $rs), 'a\\\'b\\"c\\\\d\\\\x00e\\\\nf\\\\rg\\\\x1a');
} else {
// verify magic quotes aren't there
$pattern = "a'b\"c\\de\nf\rgh";
$non_zero_pattern = "a'b\"c\\de\nf\rgh";
$quoted_pattern = "a\\'b\\\"c\\\\de\\\nf\\\rg\\h";
$quoted_non_zero_pattern = "a\\'b\\\"c\\\\de\\\nf\\\rg\\h";
// echo "\nIf this fails it means mysql_real_escape_string() is broken: ";
// $this->assertEquals(mysql_real_escape_string($non_zero_pattern),
// $quoted_non_zero_pattern);
// echo "\nIf this fails it means mysql_real_escape_string() is broken: ";
// $this->assertEquals(mysql_real_escape_string($pattern),
// $quoted_pattern);
// $this->assertEquals(
// InputFilter::safeSQL($pattern,$rs),$quoted_pattern);
}
// Remove the following line when you complete this test.
throw new PHPUnit2_Framework_IncompleteTestError();
}
public function ValidateSQL($sql, $db)
{
$data = new InputFilter();
$data->sql = $data->safeSQL($sql, $db);
return $data->sql;
}
}
require_once DIR_WS_INCLUDES . 'database_tables.php';
require_once DIR_FS_INC . 'xtc_db_connect.inc.php';
require_once DIR_FS_INC . 'xtc_db_close.inc.php';
require_once DIR_FS_INC . 'xtc_db_error.inc.php';
require_once DIR_FS_INC . 'xtc_db_query.inc.php';
require_once DIR_FS_INC . 'xtc_not_null.inc.php';
require_once DIR_FS_INC . 'xtc_db_fetch_array.inc.php';
require_once DIR_FS_INC . 'xtc_db_input.inc.php';
require_once DIR_FS_INC . 'xtc_validate_password.inc.php';
require_once DIR_WS_CLASSES . 'class.inputfilter.php';
xtc_db_connect() or die('Unable to connect to database server!');
//$_POST security
$InputFilter = new InputFilter();
$_POST = $InputFilter->process($_POST);
$_POST = $InputFilter->safeSQL($_POST);
$check_customer_query = xtc_db_query('
SELECT customers_id,
customers_password,
customers_email_address
FROM ' . TABLE_CUSTOMERS . '
WHERE customers_email_address = "' . xtc_db_input($_POST['email_address']) . '"
AND customers_status = 0');
$check_customer = xtc_db_fetch_array($check_customer_query);
if (!xtc_validate_password(xtc_db_input($_POST['password']), $check_customer['customers_password'], $check_customer['customers_email_address'])) {
die('Zugriff verweigert. E-Mail und/oder Passwort falsch!');
} else {
if (isset($_POST['repair']) && xtc_not_null($_POST['repair'])) {
//repair options
switch ($_POST['repair']) {
// turn off SEO friendy URLs
}
// if gzip_compression is enabled and gzip_off is not set, start to buffer the output
if ((!isset($gzip_off) || !$gzip_off) && GZIP_COMPRESSION == 'true' && ($ext_zlib_loaded = extension_loaded('zlib')) && PHP_VERSION >= '4') {
if (($ini_zlib_output_compression = (int) ini_get('zlib.output_compression')) < 1) {
ob_start('ob_gzhandler');
} else {
ini_set('zlib.output_compression_level', GZIP_LEVEL);
}
}
// security inputfilter for GET/POST/COOKIE
require DIR_WS_CLASSES . 'class.inputfilter.php';
$InputFilter = new InputFilter();
$_GET = $InputFilter->process($_GET);
$_POST = $InputFilter->process($_POST);
$_REQUEST = $InputFilter->process($_REQUEST);
$_GET = $InputFilter->safeSQL($_GET, $link);
$_POST = $InputFilter->safeSQL($_POST, $link);
$_REQUEST = $InputFilter->safeSQL($_REQUEST, $link);
// set the top level domains
$http_domain = xtc_get_top_level_domain(HTTP_SERVER);
$https_domain = xtc_get_top_level_domain(HTTPS_SERVER);
$current_domain = $request_type == 'NONSSL' ? $http_domain : $https_domain;
// include shopping cart class
require DIR_WS_CLASSES . 'shopping_cart.php';
// include navigation history class
require DIR_WS_CLASSES . 'navigation_history.php';
// some code to solve compatibility issues
require DIR_WS_FUNCTIONS . 'compatibility.php';
// define how the session functions will be used
require DIR_WS_FUNCTIONS . 'sessions.php';
// set the session name and save path